Okay, so … I’m trusting the wiki here as I’m not a Zimbra user myself …
The general procedure will be something along the lines of:
- Stop Zimbra
- Get your certificate
- Install the certificate
- Restart Zimbra
The wiki provides instructions on how to complete each of these steps, individually, manually.
Ideally, you want automated renewals. The way this would work is: you run a certbot command and pass it some options to run other commands before and after it tries to obtain your certificate. Then it will remember those commands and automatically run them again when it renews.
I don’t use Zimbra and I haven’t tested this procedure so try it out at your own risk. If you’re not comfortable with that then stick with the wiki I guess.
First you need the root certificate (you shouldn’t really need this but apparently it’s a quirk of Zimbra that it’s required). The link in the wiki seems stale but you can download it from crt.sh by running this command:
curl https://crt.sh/?d=8395 -o /root/identrust.pem
Next, the process to install the certificate is quite complicated so create a script for it. Create a file named, say, /root/zimbra-deploy.sh and add the following contents to it:
#!/bin/bash -e
# Combine the intermediate and root certificates as required by Zimbra:
cat "$RENEWED_LINEAGE/chain.pem" /root/identrust.pem > "$RENEWED_LINEAGE/zimbrachain.pem"
# Backup the existing cert:
cp -a /opt/zimbra/ssl/zimbra "/opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")"
# Copy the private key to the required location:
umask 037
cp "$RENEWED_LINEAGE/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
# Deploy the certificate to Zimbra:
/opt/zimbra/bin/zmcertmgr deploycrt comm "$RENEWED_LINEAGE/cert.pem" "$RENEWED_LINEAGE/zimbrachain.pem"
Save the file, then make it executable with chmod +x /root/zimbra-deploy.sh
Now everything should be ready to run Certbot:
./certbot-auto certonly --standalone -d mailserver.yourdomain.ca --pre-hook "zmproxyctl stop; zmmailboxdctl stop" --post-hook "zmcontrol restart" --deploy-hook /root/zimbra-deploy.sh
Remember to change mailserver.yourdomain.ca to your actual domain 
If that all works, you can then set up a cron job to run /root/certbot-auto -q renew twice a day. It will do nothing until your cert is 30 days from expiry, then it will run those hook commands again to stop Zimbra, renew your cert, install it, and restart.